[keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly

Linda Sauder Linda.Sauder at amdocs.com
Wed Aug 8 06:07:27 EDT 2018 

Hello.

I am facing some issues. I want to secure some simple web application with Keycloak/SAML and Wildfly.

My set-up is a configured Keycloak Server and a local Wildfly server (10.1.0 Final) with the Keycloak and SAML adapter installed.

In my test .war file exists a simple .html file which just says "Hello World". Also in the WEB-INF folder I have the web.xml which is configured like this:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
    <display-name>Application Container</display-name>

    <welcome-file-list>
        <welcome-file>ApplicationContainer.html</welcome-file>
    </welcome-file-list>

                <login-config>
                                <auth-method>KEYCLOAK-SAML</auth-method>
                                <realm-name>keycloak</realm-name>
                </login-config>

    <security-constraint>
        <display-name>Application Container Constraint</display-name>
        <web-resource-collection>
            <web-resource-name>All Resources</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>POST</http-method>
            <http-method>GET</http-method>
        </web-resource-collection>

        <auth-constraint>
            <role-name>hallo</role-name>
        </auth-constraint>
    </security-constraint>

</web-app>

My issue now is that this is working as long as I am sending the requested role from the IDP. But for the actual application I need to map the roles I am receiving to some local roles. I am not getting them directly from the IDP.

Which brings me to the part where I thought I could use some login-module configuration from the standalone-configuration. I tried to configured this one in a file named jboss-web.xml.

How am I going to achieve to be able to locally handle the role mapping?

Thanks in advance.
--
Linda
“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.

More information about the keycloak-user mailing list